CVE-2020-28199
📋 TL;DR
The Amazon Pay Plugin for Shopware before version 9.4.2 exposes sensitive Amazon secret keys in publicly accessible JavaScript files. This allows unauthorized actors to steal Amazon API credentials, potentially compromising Amazon seller accounts and payment processing. All Shopware installations using vulnerable plugin versions are affected.
💻 Affected Systems
- best it Amazon Pay Plugin for Shopware
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers steal Amazon secret keys, gain full access to Amazon seller accounts, process fraudulent transactions, steal funds, and compromise customer payment data.
Likely Case
Attackers harvest Amazon API credentials to make unauthorized API calls, potentially accessing order data, initiating refunds, or making fraudulent purchases.
If Mitigated
With proper network segmentation and monitoring, impact is limited to credential rotation and potential temporary service disruption.
🎯 Exploit Status
Exploitation requires viewing page source or accessing JavaScript files. No authentication needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 9.4.2
Vendor Advisory: https://store.shopware.com/en/detail/index/sArticle/518463/number/Swag136330
Restart Required: No
Instructions:
1. Log into Shopware backend. 2. Navigate to Plugin Manager. 3. Find Amazon Pay Plugin. 4. Update to version 9.4.2 or later. 5. Clear Shopware cache.
🔧 Temporary Workarounds
Disable Amazon Pay Plugin
linuxTemporarily disable the vulnerable plugin until patched
php bin/console plugin:deactivate SwagAmazonPay
Block Access to JavaScript Files
allRestrict access to plugin JavaScript files via web server configuration
# Add to .htaccess for Apache: <Files "amazon-pay*">
Order allow,deny
Deny from all
</Files>
# Nginx: location ~* /amazon-pay.*\.js$ { deny all; }
🧯 If You Can't Patch
- Rotate all Amazon API keys immediately in Amazon Seller Central
- Implement WAF rules to block access to /amazon-pay*.js paths
🔍 How to Verify
Check if Vulnerable:
Visit your Shopware storefront, view page source, search for 'amazon-pay' in JavaScript URLs, check if they contain Amazon secret keys in plain text.Check Version:
php bin/console plugin:list | grep -i amazonVerify Fix Applied:
After updating, verify plugin version is 9.4.2+ in Shopware backend, and check page source no longer exposes Amazon keys in JavaScript.📡 Detection & Monitoring
Log Indicators:
- Unusual Amazon API calls from unexpected IPs
- Multiple failed Amazon API authentication attempts
Network Indicators:
- External requests to /amazon-pay*.js files
- Outbound connections to Amazon API from unauthorized sources
SIEM Query:
source="web_access_logs" AND uri="/amazon-pay*" AND response_code=200🔗 References
- https://aramido.de/blog/sicherheitshinweise/sicherheitswarnung-amazon-secret-key-offentlich-einsehbar-cve-2020-28199
- https://aramido.de/media/aramido-2020-006-disclosure-amazon-secret-access-key.md
- https://aramido.de/blog/sicherheitshinweise/sicherheitswarnung-amazon-secret-key-offentlich-einsehbar-cve-2020-28199
- https://aramido.de/media/aramido-2020-006-disclosure-amazon-secret-access-key.md
